Archives For Cloud

Do you need a server? Perhaps one hosted by an important Corporation? No problem, there is a service for that (no, not an App)… a service provided by Hackers.

Drupal Servers have very recently be compromised (see: Attackers Exploit Drupal Vulnerability) and sold to other malicious people. The hilarious part is that the attackers even patched the compromised systems, in their case to protect against further attacks, but effectively doing a better job than the actual Administrators.

This is not news, I freely admit it: this has happened in the past and will happen again and again. Nevertheless, I find it to be quite hilarious, because attackers sometimes demonstrate great entrepreneurial spirit and technical ability, sometimes even better that their victims. Like those hackers that offered a guarantee to replace a compromised server with another, if the one assigned to you had been cleaned meanwhile or for any other problem (see: Service Sells Access to Fortune 500 Firms).

This is probably the biggest question, nowadays: should I jump in the latest hype in technology or wait a little bit more? A very common question and probably a difficult one to answer.

Let’s face it: it’s scary out there. When you surrender your own and your Customers’ data to a third party, typically to be hosted in a different Country, it’s only natural to wonder if it is trustworthy or not. Even worse, the danger could come from unexpected sources: you have to fear not only the Administrators appointed by the Cloud Provider to manage your data – that is a nightmare common enough – but also other Customers like you, using the same services. For example, very recently Amazon and Rackspace have been compelled to restart a number of their systems to patch them for a vulnerability in the Hypervisor technology they have embraced, Xen. The vulnerability would have allowed an application running in a guest Virtual Machine to crash the host or even to read its memory: this would have led to reading the memory of any of the other guests running in the same Server (see: Xen hypervisor found wanting in security).

So, what to do with that? Fear alone seem not to refrain people from publishing data on Internet. On the contrary, the number of people sharing freely their own data is growing by the day: Facebook, Twitter and LinkedIn come to mind as clear examples of this trend. Awareness of the risks involved in sharing data is also increasing: frauds big and small, phishing and also spying are everyone’s concern. Who doesn’t know about Heartbleed? Bing shows 32400 results, right now: that’s quite a common term, considering that it has been discovered only in April 2014. Shellshock is even more impressive: in less than one month, it has accumulated references by the millions! Most assuredly, not every reference refers to the actual bug, but those are impressive numbers, nevertheless.

But wait, are they news at all? Is it unheard of that there are bugs in code? Surely not. The first time an organization published the very first page on a network, it was the first time they opened a door for remote attacks. For sure, money attracts the attention of malevolent people, and this is even truer for the Cloud, because it can be at the same time a tool to perform misdeeds and also a huge treasure chest, ripe for the picking. But this is also true when you publish your application on Internet or when you give your data to an Outsourcer.

So, the issue is not the Cloud. Microsoft Azure, Amazon AWS and their cousins are only the most visible targets. Someone could say that they pose an additional risk, because they are so much in the news, but it’s arguable that you are safer not using them. The fact is that there are many reasons why any organization could be a target of someone else: hackers searching for a gain, by harassing you or your customers – you could be only a step of a greater attack – national agencies (NSA come to mind) or even disgruntled employees. The sad truth is that most organizations are target of attacks and that only some are aware of that, because most have not the right tools to understand the risk and identify attacks in a timely manner. For example, a customer of mine some times ago accidentally discovered a violation of its On-Premises Data Center, because one of the servers restarted without any apparent reason: the hackers were maintaining the compromised servers, installing software at their will, since long. This is not an isolated case: in literature you can find similar incidents by the thousands and the list grows by the day. Some of the most recent and famous violations are related to names like Target and Signature Systems.

So, the Cloud is not the issue, but the Cloud can be a part of the answer. It is common knowledge that the security of a system is determined by its least secure part. Cloud Providers make a point of managing their systems by the book, therefore they are (or should be) able to provide the most secure infrastructure (see: Microsoft Datacenter Tour (long version)). They are continuously target of attacks, but this maintain them vigilant and able to react promptly. They also strive to improve their security, trying to be a step ahead the bad guys. Surely, they are a target of more attacks than anyone else, considering that they are attacked not only as infrastructure providers but also because they host their customers’ data and applications. Nevertheless, this should not necessarily considered as a downside of the Cloud Providers, because it requires them to maintain top notch security over time. Can we, simple mortals, hope to achieve that level of security in our own Data Centers without investing a huge amount of resources?

But securing the infrastructure is hardly enough. With all the investments done in securing the Operative Systems and the Off-the-Shelves Applications in the past and continuing nowadays, attacks are focusing on custom Line-of-Business Applications. For example, with the adoption of a Security-oriented SDLC, Microsoft’s own Security Development Lifecycle (SDL), the vulnerabilities discovered after 3 years from RTM in two adjoining versions of SQL Server dropped of a sound 91% (see: Benefits of the SDL). Surely, ensuring that our applications are secure is not something achieved without a cost, but this is something we should consider as due in every project. Every Business Critical application should be developed with steps to ensure that it is Secure and that the data it manages are safe. In my experience, it is all too common that Security is taken as a given: something you want to be there but that you are not willing to pay for, and as a result you will not get. The typical behavior is to handle the incidents after the fact, when unimaginable damage has already been done and rushed damage recovery actions have to been performed.

Building your solution on the Cloud is like basing the next construction on strong foundations made by the best experts in the field. If you adopt sloppy methodologies on your part, the house will inevitably collapse under its weight and the inclemency of the bad weather; but if you use sound methodologies like SDL, you will build a construction that is strong and safe construction from its foundations to the roof.

And naturally, you will want to maintain it to ensure its safety over time… but this is a topic for another post.

Disclaimer

The author of this Blog, Simone Curzi, has been a Senior Consultant and Delivery Architect in Microsoft Consulting Services (MCS) Italy for more than 6 years and has spent a total of 15 year as a Consultant in MCS. After having spent 2 years as a Security Premier Field Engineer for Microsoft Proactive Services (CSS), he has recently joined Microsoft Global CyberSecurity Practice (GCP) as Senior Consultant.
Simone is also the Leader of Microsoft Technical Community for Application Security.
The content published here express his own personal opinions only. By any means they do not necessarily reflect Microsoft's assessments or persuasions around Security or any other topic discussed in this Site. Microsoft has not participated directly or indirectly to the preparation of the current Site, for example by providing any resource other than paying for the salary.
The content is based on public information and sanitized experiences: it will not contain Microsoft Internal-Only material nor information traceable to actual Customers, even if someone could occasionally recognize himself or herself.